CVE-2023-28445
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with --v8-flags=--no-harmony-rab-gsab to disable resizable ArrayBuffers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| denoland | deno | = 1.32.0 | affected |
Weaknesses
- CWE-125: CWE-125: Out-of-bounds Read
- CWE-787: CWE-787: Out-of-bounds Write
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx
- https://github.com/denoland/deno/pull/18395
- https://github.com/denoland/deno/releases/tag/v1.32.1
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx
- https://github.com/denoland/deno/pull/18395
- https://github.com/denoland/deno/releases/tag/v1.32.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.